Web Application Firewall - WAF

One year ago, I was working with Web Application Firewalls (WAF) to protect web servers against Web Application Vulnerabilities like SQL injection attacks, XSS attacks, CSRF attacks, etc with the aim of protecting XML and Web Services as well as WebSockets. This kind of firewall is much more than a network firewall because while an IDS is able to detect and warn attacks, an IPS is able to detect, warn and block attacks, a WAF is able to detect, warn and block sophisticated attacks like parameter tampering, hidden field manipulation, forceful browsing, etc. Therefore, WAF works much better at the application layer than a traditional firewall.

I’m going to write about how to configure a basic security policy to protect web servers, which is something I have taught in the Security courses on Networks and Systems. First of all, we have to understand how a common web attack works like SQLi attack, which can be used to steal databases or bypass login pages. For instance, we can see the next SQL sentence used to authenticate users in a web page.

$query = "select id from users where nick='$username' and password='".md5($MD5_PREFIX.$password)."' and suspended=0";

However, this PHP code has security weaknesses because if we insert the characters ‘ or 1=1 # into the login form, we are going to bypass the authentication in the web page.

$query = "select id from users where nick='‘ or 1=1 # ' and password='".md5($MD5_PREFIX.$password)."' and suspended=0";

SQLi attack

Now, it’s time to protect the web server with a WAF. I’m going to use F5 BIG-IP ASM but there are other manufactures like Imperva, Akamai or Citrix.

WAF Architecture

We have to create a security policy manually, which builds a basic security policy in Transparent mode that we can review and fine-tune. In addition, we have to select the Rapid Deployment (RDP) template to minimize or eliminate the amount of false positives and the complexity and duration of the initial evaluation deployment period.

Rapid Deployment security policy

After the security policy is deployed and applied, we can attack the web page to see attacks detected into the Traffic Learning.

SQLi attack detected into Traffic Learning

Once there are no false positives, we are ready to configure the security policy into the blocking state and disable the signature staging to actually block real attacks.

Learning and Blocking Settings

If we attack the web page again, we are going to see illegal requests into the application event logs as well as traffic attacks will be blocked by WAF.

SQLi attack detected into Application Event Logs
Regards my friends, protect your web servers and keep studying!!